Calls for clarity over Amazon insider breach

Amazon is coming under pressure to detail the magnitude of an apparent insider data breach that has seen the email addresses of multiple customers leaked by malicious employees.

Emails from Amazon’s customer service teams were received by a number of customers over the weekend of 24-25 October 2020, explaining that their email addresses had been disclosed by an Amazon employee to a third party.

The emails said the employees responsible had been fired and added that no other information from any of the compromised accounts had been shared – nor was the incident the result of anything the customer may have done.

An Amazon spokesperson told Computer Weekly: “The individuals responsible for this incident have been fired. We have referred the bad actors to law enforcement and are supporting their criminal prosecution.”

Jo O’Reilly, digital privacy expert at ProPrivacy, said: “The fact that a number of Tweets that have appeared over the last few days from Amazon customers stating that they have been the victim of a data breach will rightfully be a worry to consumers.

“Finding out than an Amazon employee has been passing customer emails to a third party is particularly concerning, especially as Amazon appears to have been very vague about the details.”

O’Reilly added: “The online retail giant has confirmed that they are working directly with the authorities and that the employee in question has been fired. However, more transparency with the consumers impacted and what this means for their online privacy is now needed.”

Customers who received emails about this incident from Amazon can best protect themselves by paying careful attention to their inboxes, as leaked information of this nature often finds its way into databases used by cyber criminals to conduct phishing attacks. Further guidance on protecting yourself from phishing is available from the UK’s National Cyber Security Centre, while Amazon has also made guidance available.

Amazon does have multiple cyber security systems in place to limit and control access to information, and processes for identifying and investigating suspicious behaviour, which in this instance are understood to have functioned as designed and notified it about the incident before more serious damage could be done.

However, O’Reilly said Amazon could do more to mitigate the threat of the leaked data being used in phishing attacks by being upfront about exactly who the data was shared with.

The desire for clarity notwithstanding, it is important to note that at the time of writing, there is absolutely no evidence to suggest malicious actions on Amazon’s part.

Also, while it is not inconceivable that the company could face action under the General Data Protection Regulation (GDPR) if the circumstances demand it, pinning responsibility on employers for the actions of their employees is a tricky legal question.

In April 2020, the UK Supreme Court ruled that employers cannot be held vicariously liable for intentional data breaches committed by employees because disclosing private data was not within the scope of their duties. This judgment settled a long-running case against supermarket chain Morrisons, which dated back to 2014.

Exabeam director of product marketing Orion Cassetto said it was incumbent on all organisations to recognise that threats emanating from legitimate users were more elusive and harder to detect, while Jan van Vliet, EMEA vice-president at Digital Guardian, described them as tough nuts to crack, whether malicious or accidental.

“For security analysts, spotting security incidents arising from within their company, which is arguably their own customer base, is particularly tricky because the attacker may have legitimate access,” said van Vliet.

“If the credentials being input are valid, the same alarms are not raised as when an unauthorised user attempts entry from the outside.”

An insider threat report published by cloud security firm Bitglass in September 2020 revealed that 61% of enterprises have had an insider breach within the past 12 months, whether accidental or malicious, and 73% thought such incidents were becoming more frequent.

Bitglass CTO Anurag Kahol pointed out that the massive increase in cloud-based environments, remote working and staff-owned device usage – motivated at least in part by the Covid-19 pandemic – all served to make sensitive data more accessible, presenting a significant challenge to security teams, who might now find it harder to spot the signs of an impending incident.

Cassetto added: “A combination of training, organisational alignment and technology is the right approach to stopping insider threats. Behavioural analytics technology that tracks, collects and analyses user and machine data to detect threats within an organisation is essential because it determines anomalous from normal behaviours.

“This is typically done by collecting data over a period of time to understand what normal user behaviour looks like, then flagging behaviour that does not fit that pattern. It can often spot unusual online behaviours – credential abuse, unusual access patterns, large data uploads – that are telltale signs of insider threats.

“More importantly, it can often spot these unusual behaviours among compromised insiders long before criminals have gained access to critical systems.”